• No results found

by Scott Recover your P0RN from your RAID Array!

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "by Scott Recover your P0RN from your RAID Array!"

Copied!
68
0
0

Loading.... (view fulltext now)

Download now ( 68 Page )

Full text

(1)

Recover your

P0RN from your

(2)

• BRIEF Coverage ;)

• Unusual Arrays

• Intro to RAID

• About RAID 0

• Sight Samples

• Sound Samples

• About RAID 5

(3)

Mission Briefing (1)

WHY RAID RECOVERY?

RAID recovery is EXPENSIVE!

Its more difficult than a single drive.

Its very time consuming.

Has more than one point of failure.

Many people have problems with

them and send me questions!

(4)

Mission Briefing (2)

Assumptions for this Talk

• We are assuming you have already

done what I previously described in

videos to repair the damaged drive.

• We are also assuming you know

nothing about how the data is

(5)

Mission Briefing (3)

Goals for this Talk!

• DIY:* Teach you how to rebuild

RAID yourself from my experiences.

• Do it as cheap as possible!

– i.e. free or under a $100!

• Do as much in software as quickly

as possible by sight and sound

(6)

Mission Briefing (4)

Whats it going to take?

• A bit of time...

• Lots of free disk space...

• You have to find the Pictures...

• Persistence and Experimentation...

• In some cases, Research

(7)

What is a RAID Array?

• Redundant Array of (Inexpensive or

Independent) Disks.

• Regardless of marketing on the box

some arrays are not “Redundant.”

• Different types of arrays need

different quantities of drives & you

need to know how many that is!

(8)

• JBOD’s such as in LaCie or generic

external enclosures.

• XFS/ZFS Arrays such as NAS drives

from Western Digital or Buffalo.

Covering Unusual Arrays

• Combinations with

offsets & RAID 0

(9)
(10)
(11)

JBOD Drives (1)

• Means “Just a Bunch of Disks” and they are just linked logically together end to end.

• These drives usually have no fan, get very hot and contain several drives. Sometimes the cables are melted together.

• Sometimes they are custom and employ different variations for different drives.

• Generally they can be recovered individually by scanning for file headers.

• One drive will have a File System Table of

some sort, other will be just raw files and no file system structure without the first disk.

(12)
(13)

Host Protected Area (HPA)

• ATA-4 Standard – Host Protected Area aka HPA, used to limit the capacity of a drive for storage of additional info usually

(14)
(15)

Windows Dynamic Disks

• Dynamic disks do not use partition tables,

they use LDM which is at the end of the disk

and needs to be done backwards.

• It uses one single partition occupying the

entire disk minus one cylinder. When

volumes are added or deleted the partition

table is not updated.

• This will be noticed right away by some data

recovery software like R-Studio.

(16)

Processing XFS/ZFS Arrays

• XFS / ZFS is very hard to recover

from due to the lack of commercial

software available. Some software

that can help are tools like:

– TESTDISK (free) supports repairing

XFS partitions and write it back out.

– UFS Explorer (ufsexplorer.com) has

(17)
(18)

Let’s

talk

about

RAID

ZERO!

(19)

RAID 0 Arrays Overview

(20)

RAID 0: How it works

• RAID 0 has NO redundancy and

does NOTHING to protect data!

Losing one drive loses all your data.

• RAID 0 should be called AIDS:

(21)

RAID 0 with more than TWO

• You can have a RAID 0 array with more than two

drives.

• There is generally no sequencing numbers for the

order.

• If there are four drives in the array, there can be

as many as 72 different combinations to test.

More than two drives? No backup? Thats just

CRAZY! Yes, Photographers I mean you! Your

Mac is made of the same crap as a PC :O>

(22)

WHICH IS THE FIRST DRIVE?

• In most cases you can determine

the first drive in the array,

depending on the slice size. How?

• In the first sector you will find an

MBR and at sector 63 you will see

the active boot partition, in most

(23)

Partition Example

(24)
(25)

RAID 0

• Put the first drive in the first slot of

whatever software you are using.

• Put the other drives in their slots.

• Set your size of your slice to your

guess…. Usually 64 is the defaults

(unless some tech messed with it)

• Scan for Pictures

(JPG,JPEG,GIF)

or MP3s.

(26)

Slice Sizes (2k to 2048k)

• Extract samples between the

boundaries possible i.e.:

»16k

»32k

»64k

»128k

»256k

»512k

(27)

How do you know when you

are wrong??

REVIEWING SAMPLES

EXTRACTED

(28)
(29)
(30)
(31)
(32)
(33)
(34)
(35)
(36)

Once

you get

it right

you get

(37)

Extracted MP3 Sound File

(38)

Extracted MP3 Sound File

(39)

Extracted MP3 Sound File

(40)

How Large

is your

RAID 5

Array??

(41)

RAID 5: Controllers

• There are two kinds of controllers for RAID, Host

Based and Discrete controllers.

(42)

RAID 5: How it works

• RAID 5 Array protects the server from

“down time.”

• RAID 5 does this by storing parity data on

all the hard drives.

• Parity is a formula that calculates error

correction data.

• By distributing parity across all drives it

creates a safety net for the data when a

(43)

RAID 5 Array Overview

(44)
(45)

RAID5 XOR

• Parity is calculated by using the

math function XOR with the data

with the number of slices in the row

to store the parity slice.

• For 3 drives it looks like this:

(46)

Why is it in for Recovery?

• There have also been times where RAID 5

arrays have failed a single drive, but no one

noticed before a second one failed.

• If two drives fail and the array goes down,

which drive do you need to repair???

(47)

RAID 5: How it works

• Usually reassembly of RAID is hard

because there are at least two or more

unknowns so it is hard to guess correctly:

– Disk Order is Unknown

– Slice Sizes can Vary

– Variations on Slice Arrangements

– Fragmentation and Boundaries

• Looking at the Pictures as Jigsaws has

helped me figure out the arrangements.

(48)

Slice Sizes (2k to 2048k)

• You still have the slice boundaries:

»16k

»32k

»64k

»128k

»256k

»512k

»1024k

(49)

(EXTRA) JPG Start and End

(50)
(51)
(52)
(53)

Contiguous Slice Sizes

2 Megs 1 Meg 512k 256k 128k 64k

(54)

Jigsaw: Do they Belong?

Do Slices Belong to Same

(55)
(56)
(57)
(58)
(59)

Are they in the wrong order?

Do Slices Belong to Same

(60)
(61)
(62)
(63)

Steps to rebuild RAID 5 array

1.Repair all necessary BAD drives.

2.Image the damaged drive(s) and recover as

many sectors as possible.

3.Image all the good drives.

4.Use software to analyze and re-weave the

images back together virtually.

Test data!

5.Write the newly weaved image back to a hard

drive to start the logical recovery (follow the

logical recovery section for the type of

(64)

Free Code to Assemble Array

• #!/usr/bin/perl –w #

# raid5 perl utility

# Copyright (C) 2005

# Mike Hardy <mike [at] mikehardy.net>

#

# This script understands the default linux raid5 disk layout, # and can be used to check parity in an array stripe, or to calculate

# the data that should be present in a chunk with a read error. my [at] array_components. = my $chunk_size = 64 * 1024; # chunk size is 64K

(65)

Software to Rebuild RAID 5

• Remember our goal is to cost less

than $100 and be able to rebuild

“AIDS” and RAID5.

• Give the most options and produce

an image file.

• My Choices:

– Raid Reconstructor from Runtime.org

– R-Studio from r-tools technology.

(66)

Using R-Studio

RAID Live Demo

(67)
(68)

Model in Photos: Randi Lamey

Bonus

Pictures

References

Download now ( PDF - 68 Page - 3.38 MB )

Related documents

Rebuilding a Show Store RAID with the original drives

Rebuilding a Show Store RAID with a replacement drive If the RAID controller does not see the failed drive during the Rebuilding a Show Store RAID with the original drives

SBI-7125B-T1 Blade Module RAID Setup Procedure

RAID 1 Build 1 For any RAID 1 but especially if you have data on one drive you wish to preserve RAID 1 Clear Creating a RAID 1 on new drives or to ensure that the array contains no

Nonlinear Analysis of Concrete Beams Strengthened with FRP Plate. Jia Yang 12, a

The results show that the moment-curvature curve and load-deformation curve of concrete beams strengthened with FRP plate can be separated to elastic stage, elastic-plastic stage

Configuration Tool and Utilities Operation Manual. for Fusion RAID Storage Systems

A functioning RAID 5 RAID group: encounters a drive failure, forcing the RAID group into a degraded state: The failed drive is either replaced with a Hot Spare or

OWC Mercury Elite Pro Qx2 ASSEMBLY MANUAL & USER GUIDE

If more than one drive fails at the same time, or if one drive fails and the RAID mode is set to RAID 0 or span, the data is lost (in span mode, only the data stored on the

Dismantling or replacement by the user. Connection to an alternate power source. Malfunction due to natural disasters (fire, flood, tsunami, etc.

When a SATA hard drive in the RAID5 mode fails, the standby drive replaces the failed drive to rebuild the RAID array and allow the SVS-5R to continue saving data.. To ensure

Factors rebuilding a degraded RAID

The rebuild time is related to drive capacity and number of drives in the RAID array or RAID sub-arrays (RAID 5+0 or RAID 6+0), further to the computing power of the

Operating Systems. RAID Redundant Array of Independent Disks. Submitted by Ankur Niyogi 2003EE20367

The basic idea of RAID was to combine multiple, small inexpensive disks drive into an array of disk drives which yields performance exceeding that of a Single, Large